 Okay back live here wrapping up day two emc world. We're here with Sam curry CTO of RSA. Hey Oh, thanks for coming on and and our man Mike Versace. Otherwise known as Mickey Versace And I'd heard that one. That's we're gonna talk a little bit about he even starts calling himself Mickey Versace because we call them So much but you know he fits into the to the Volante Satya to we had a tucci on yesterday Yeah, it works. Well, I'm breaking So we're here at EMC world private cloud The Cube we're going going live two days straight. It's unbelievable and You know behind us have been these keynotes a lot a lot on the private cloud a little different this year than last year last year It's like really know what this is and and now it's like, okay We got to really make this happen starting to come together and one of the evil twins of The private cloud and the cloud is security the other one of course being management But so you're like the most important person, you know on the planet right because I'm an evil twin is that one of the evil twins, right? We have to like straighten you out and you know make it all good, right the dr. Jekyll and mr. Hyde things absolutely absolutely Well, so anyway, maybe you can tell us a little bit about, you know What what you're seeing with the state of security and cloud is is you know, we had earlier Somebody was saying that they felt it was Tim from RSA said you know what in in many respects and Mike You've talked about this cloud is an opportunity to be inherently more secure Okay, those are some of the sort of paradigms we're looking at and so what do you see is the state of security as in the context of the cloud? Well, that's a it's a good question. I think Tim put it very well The the private cloud certainly the very private in there is critical I think when people say security they often mean at least four or five different things, right? We could talk about health we could talk about the one you rack metal firewall that you buy and slot in you could talk about antivirus You could talk about identities the big guy The guns and the guards and the gates and the G's right But when you get down to it It's about the confidentiality of the data and of the processes of the the integrity of it and the availability of it So the the CIA is right when you get down to it Another label you could you could put on those things is privacy And so I like the use of the word private with private cloud You could think of it as a chance for a do-over, right? This is if you think of the heterogeneity and the complexity of the typical legacy computing environment That is look security events happen on seams things fall apart on seams You lose confidentiality you lose the ability to say that just you and I are doing something or Validating that things haven't been changed or making sure that things are available Those are the principles of security and and Tim had it right on right This is the chance to actually have a do-over for security in moving to a private cloud You can make the cloud private and therefore secure It changes the the paradigm for how we do security from the legacy environment And I actually like the language you mentioned the other evil twin management The base language here is risk So if you think about it the language that you can use between the security professional and the business is One of risk and it and risk is a language that everybody seems to understand at the table So we can stop calling them evil twins and call them perhaps a misplaced siblings That's it. It's a lingua franca was that a stone that's all work right an ability to have a conversation about business principles I spoke with one bank and they said, you know, we're a bank that means we're a target if we don't be a target We shouldn't be a bank. There's a this thing called the acceptable risk for acceptable return, right? And there is a level of risk that is acceptable the only that's something inexcusable is not being able to analyze Understand it and sign off on it You know in talking about DLP technologies one one technology that gives you an ability to control data and Create a data stack if you will whether it's legacy or cloud You know the in just discussing something like DLP. I had one customer who was saying So, you know, like what if I see he knows bad? What if he's gone rogue or my CFO and I said, well, I hate to say this, but you're going to have to trust someone As a security professional your job isn't to eliminate risk It's to make it quantifiable and measurable and acceptable for acceptable return And if you have a rogue CEO, there's ways to deal with that There's ways to spot it, but at some point you have to trust someone and that that's how it goes Yeah, I think the point on trust is really important. I think the theme of this conference today is the journey, right? Starts now What are you advising clients in terms of where to start? Where's the starting point and how do they know? The I think that that's a it's a great question, but the the actual starting point happens before a journey to the cloud Or journey anywhere sort of like they say when you're a hiker that you should watch the ounces and the pounds will follow Right, you want to make sure you're carrying the right weights and have the right things Before you engage in any journey make sure you've packed the right things Make sure you've thought about when you're going to need food and shelter Which and the basics for this is having a data classification model If you can't solve these problems or at least have a way of approaching the problems in a legacy environment Then you have an opportunity when you're thinking about the journey to the cloud to sit down and do your homework and start Talking about data classification start talking about risk Are you able to couch the movement to the cloud in risk terms? And if so, can you actually make it a a lower risk footprint or a risk landscape? Then you're starting to actually have a security and the cloud discussion at the same time So do you do you think in general the security professional is engaged enough at this point in that discussion or is? Is this sort of risk topic or risk question? Is it one of those balls? It sort of gets bounced around the organization looking for a place to land. Yes and no There are some who are doing it well as there are with most things and there are some who aren't And it depends in large part on the vertical that's in that you're talking about the sides of the company and where So some organizations have been through this journey before They've learned the stumbling blocks in going to an internal private cloud to an external private cloud to doing a VDI initiative To doing those things and the good news is it doesn't matter what industry you're in You can actually learn best practices from other industries and other locations, but it requires a community So my my biggest advice is if you're about to to think about How to get maybe a business justification for the cloud even in some cases out of security or you're looking at a journey to the cloud Carve out the time to do the security conversation ahead of time because it may in fact enable better buy-in from your management the other evil twin All right, it may in fact other it may in fact give you the business justification to it and Better tools and a better end result when you find that you've got a lower risk profile My favorite example that popped up today I don't know where it came from but we're you know in many ways the security person in a journey to the cloud is going to become like The Maytag repair guy right waiting for the call It's time to mature the security function as well a lot of folks are sitting there going my company is doing this And they're not hearing the security risks Well couch it as a risk discussion and you now have a job as a risk manager going forward everybody in a company in a little In Yang you're either 90% risk and 10% reward or the flip side 90% reward and 10% risk right so Make yourself One of those two profiles and the security job can evolve into being a risk advisor to the business or you'll find yourself irrelevant down The road that's really interesting to talk about the Maytag repairmen. We've been talking all week about how storage is sexy You know we got Joe Chuchy you say well sexy it's hot Security is sexy Sexy, but we want to make it boring Well, actually yeah, so you know boring means low risk Part of our job is to make this well boring You know and one of the reasons that security gets so much attention from the press is it's cloaking dagger and spyware It's thieves. It's criminals. You have visions of somebody in an alley going pst. Hey, you want to buy one of these Right, that's that that's kind of got a glitz to it, right? That's got to go away. That's got to be a thing of the past just as we've done away in with with other Plagues and ailments of society we can do away with cyber crime as well if we make it boring, right? That's what we should be doing. So what's so I mean, so what is RSA doing about that? It's so it's a lot of education seems right now education and awareness and getting involved in the organization We see RSA's role in doing that and how are you actually executing? So one of one of my One of my pet peeves is is fud right fear uncertainty in doubt. I always gets people started. Yeah, what are you doing in this business then? Oh, well exactly, right? So a lot of the industry has been pulled that way I walked into a utility and and I was talking to Talking to to them and so how's your smart grid deployment going right? You've heard about smart meters and stuff and they said great We're rolling a thousand out a day and I said so what are you doing for encryption? They said nothing and I had this little gasp. Oh my goodness. They're doing nothing, right? And the guy said here comes the fud They've been bred to think that security vendors who walk into the room are going to scare them I saw one presentation who I somebody I won't mention that they'll know who they are They presented to a large IT crowd and they actually put pictures of collisions of trains up on the screen and and ruptured Pipelines and the idea was don't worry in our hands. You're safe that We should be building security to the fabric so to answer your question about what we're doing I'm trying to actually walk in and go you see that train like you need a risk You need to understand the risk and the likelihood of that actually happening or not happening You need to be able to manage this as a process. You need to make the tools more transparent build it into the infrastructure You need to be getting away from content racism and proprietary agents get to adaptive self-learning systems That stuff is all very doable. So to answer your question. We're doing a lot around that You know everything from investigating how the bad guys really behave to helping people understand Is it likely to happen to them and how to actually make security more boring? How do you make it more transparent so that it's built in rather than something you got to go and bolt on with a screwdriver after So and in our say is always always had this tremendous security research and development agenda Right tremendous research and development has done a tremendous mountain that space relative to private cloud Last year you talked a lot about ionics integration with Envision DLP strong authentication How's that sort of product strategy moving forward relative to the overall research that our say does in security matters? three things come to mind the first is that we We have a number of products that we feel are essential if ultimately what we want to do is Connect people with data, then we need to make sure we're doing You actually have the right controls to to affect the data right you want to build the data stack It's not about whether you can affect a particular piece of technology or even a business app Regulations don't come out that say well, what are your policies for Solaris linux or windows? They come out and say can you say you're doing the right things with someone's data? Right or with your own data in the case of trade secrets So a set of tools around that DLP is a good example They'll keep beyond being it you know an app or product that you buy Actually gives you the ability to have controls around data. So data centrism Then making sure the people are the right people and then after the fact that you can find out what's really happened You know reconstructing things and then enrichment of that information So every one of our products is going through a how do you interoperate and work with the cloud? How can you we actually offer them up and in many cases? We already do as software as a service and then we're starting to cut into new areas in security So it's not about just taking antivirus or firewalls or even authentication and just slapping it in right? What we've got to do is say how do you get a hardware root of trust? How do you make sure something called the blue pill attack can't be done where there's an a priori computing environment? That's encapsulating you how do we make sure that there isn't any VM poisoning going on or that you can actually have a Policy that says data in the cloud can only run on a chipset in a country or that's been hardened or in a VM That has been harder hardened and we've started to bring some of those solutions to market as well Mostly through proof of concepts at this point, but by working with VM where I within tell as well So I know what Joe talked a lot about the difference between You know what we've been doing for 30 years, which is bolting on security, right? Yeah, and now designing it in or building it in so there must be a balance there That you're trying to strike between on the on the research and development side as well as with within product investment Can you talk a little bit about that? So I mean there's no shame in bolting something on when you first run into a problem, right? My hometown. There's a bridge that says temporary bridge on it. It's 50 years old There comes a point where you go. Why is it still there and is it safe right because it rattles quite a bit So I think there's no shame in bolting something on the first time But over time there is shame in not making it part of the infrastructure and not in fact Allowing it to follow a graceful and natural commoditization curve And that is in fact what happens with a lot of security. It draws more and more attention unto itself So the challenge I think is to continuously get out of a few things Most of security winds up a content race and the reason is quite simple There is an intelligent opponent trying to break in so if you come up with an architectural breakthrough They'll hammer away until they find a way over under or through right and then you have to do an update and then the excel It accelerates most architectural breakthroughs actually only have a shelf life Associated with the technology or a time period So it's up to us to keep continuously innovating so that the bad guys eventually can't afford the investment to get over Under or through because they're in it for financial reasons right now. So part of the the challenges improve the content race cycles Innovate and get out of that and as much as possible differentiate on the basis of intelligence adaptation Security is effective. If I think about it, we will never eliminate theft from our lives At least we haven't in the few thousand years. We've we've had civilization so far I don't expect we're going to eliminate it online anytime soon But we could make it a lot less profitable for them and a lot less likely. So you that's where they want to lower the ROI That's right You know, they say you you come you come to be like your opponent over time, right? And they come to be like you In fact, they are starting to sit around boardroom tables and think in terms of ROI Probably one of the biggest clouds out there is what we've coined the dark cloud The things like the config are that right bought or Cinewall or Zeus have massive cloud infrastructures behind them and they're not worried about the niceties of Liability right there. They work with criminals in many instances. So They're out there for ROI and meanwhile by the way the computing technologies across the barrier We use similar techniques in terms of actual coding To build modules that they use like clouds a good example. We're building a cloud. They're building a cloud We're learning we're learning technology as we go forward. Therefore. It is always going to be a content race It's up to the industry though to bake in what we can do Why make it more reflexive and move on to smarter architectural breakthroughs and that's the race we should be in That's right. So it's a so the maturity curve is a little bit about bolt on now what you have, right? Yeah, no shame in that construct the solution You know in the middle middle piece where you have tighter integration and VMware is a big part of that, of course And then it's the real design stuff, right? It's the design. It's the fundamental design bolted stuff go in and by the way the faster you can put it in the infrastructure as we try to do the better But then keep moving forward Optimally to make it not efficient for them to keep attacking right because it is a financial equation There's a whole other way of looking at it around things like espionage and and the the more cloak and dagger literally cloak and dagger side of Things but on the financial side you can you can make the risk much much lower And that's where the most of the risk is coming from what do you think? What would you say are some of the biggest breakthroughs relative to security and everything that private cloud has to offer? I mean I look at the the development around the Westmere chip has been really fundamental. That's fundamental security design into the architecture What do you think about that and any other examples? Yeah, so it's really fundamental The Westmere chips are a really good example right they've embedded a number of algorithms there So you can call on the chip to effectively do things like crypto functions, right? But most importantly you can actually get a trusted boot sequence so you can make sure there's nothing there beforehand Right, you can make sure that your VM isn't running in someone else's container that's sitting on that chip You can also query and say what else is running in this memory space? That's very powerful, but those are things that are being built into the infrastructure, right? VMware is also building new features into things like V center and and V cloud eventually right But new features that let you leverage that and build a chain of trust that cuts down through various layers You could almost think of it as hardware authentication and let you especially especially through zones build zones that let you have similar Physical characteristics that you can say my data can only exist in XYZ, right? And those could be location a list of pre-authorized chips. What have you that's very powerful as well And we're on the other side or layering in those functions. I talked about earlier and making them progressively more transparent How do you make sure the right people? How do you actually identify the data throughout that stack regardless of physical location? How do you do the crypto and what have you right? Very good. So in this in this Effort to do over with call it The way you get from A to B Knowing that the IT business Throwing away Right. So you say the way to do that is to just get tighter and tighter integration deeper integration and part of the challenge By the way is going to be it's very hard to leave behind the old and I can look to history and say well I can I can see roughly what people will do going from one wave of technology to another it'll stick around right? There will be some legacy stuff You need to identify if if if you're If if you're going from a high-risk environment and moving to the cloud to lower your risk There are instances in SMB's where almost everybody by going to the cloud can get there That's a great example, right? You know because they often don't have an IT department and a security department and frankly just having some standards might improve that even without laying in Some features at the larger enterprise is sometimes a very granular understanding of risk associated with their data and their infrastructure So how how is the how is the provider of cloud services going to demonstrate to you? What they're doing that you can show compliance you can actually manage the risk the more that becomes transparent The more you're focused on the task unless the tool the better you're going to be at managing risk So I'm not sure how much time we have left, but there's an awful lot we could we could talk about there Yeah, sure on that point about Sort of auditing and sort of understanding what the provider is actually doing relative to security There's been some big developments going on sort of skunk work activities around cloud audit and building namespaces for the purpose of publishing audit data From cloud service providers some perspective on that have you been involved in that watching it? I have and there's a few coming up from the ground right now and there's a few different ways To look at it that right. I'm going to say that first of all I Said well actually I was addressing a room once and said we need to share data I've published a game theory derived model to predict how bad guys will behave right When you can quantify gains and losses and I said we need to share data and somebody back to the room quipped capitalist aren't altruists and And I thought about it for a second. I said, you know, that's not always true a good example is bees Right some some breeds of bees will sting and killed and they die when they do so You have to ask yourself. Why would anything evolve to be that way? Why would anything in nature evolve to be able to actually do something altruistic for the hive like sting an opponent and Die and the answer has to be it's getting more out of the hive Then it's even its own life is worth for the propagation of its DNA. So not all altruism is in fact altruistic There's some selfish motivation and and Frankly when you get to the point where being part of a community you get back Get back more than you invest and in particular when you start to get orders of magnitude more back than you invest Then it makes then the only choice for used to be part of a community And I think a lot of the talk around around this is to try to generate metadata metadata because it's not reversible like hashes right a hash a hash function take something and the output can be Compared to see if the two inputs were the same, but you can't reverse it You can't get the pig back from the sausages, right? And and and so you want it to be metadata But then you want to be able to start looking for patterns and generating new forms of information As soon as we can do that we can protect your privacy and subscribing to a community and sharing your data In exchange for getting out more stuff that helps you immunize and protect and reduce risk So you know it's up to us. I think we are a bigger community than the bad guys They are better at communicating and sharing there is honor among thieves It's up to us to use things like this to actually try to change the equation, right? We want to try to share our logs We want to share the information about where the bad guys are don't let them hide behind one another and behind our own Inability to coordinate we may be slower, but there's more of us And so I think ultimately if we can actually figure out how to share data metadata in a way that doesn't violate privacy We're going to be much more effective as at reducing risk across the globe And the data can be consumed by a bunch of different applications, and I think those applications Could could be other service provider applications. They could be audit applications. They can be Service and security applications also, so you're actually making you know Sort of the the security tasks more real-time, which is I think a real value that comes out of some of the work Yeah, if you think and if instead of you know, it's funny Security is by and large Reducing the risk associated with all of our processes and our data But there's other forms of risk than just security risks And so consuming that information can benefit availability it can benefit troubleshooting your knock might benefit from it when it's doing root cause analysis For instance, so there's an awful lot to be said for creating these medic communities, right? If we can do that effectively there's a ton of benefits we can get out of that Excellent, they're not marketing benefits by the way. I know a lot of folks worry about that That's the whole reason it has to be metadata and not data, right? One of the one of the quick point. I think like the the RCA share project Which is something newly announced here a new community around? Yeah, engineering applications more secure applications comments about that Yeah, so the if you look at the history among a lot of security providers among a lot of IT and software is That the way something is done is very awesome. It's awesome And we're working on the on the belief that there is more to be gained in the community By making some of that secret sauce in fact open right or free and giving it away and embedding it as much as we use a common set of tools RSA we actually can go off and focus on things like intelligence management Understanding the dark cloud But we can actually do more to do a sort of shields up if you will For the internet right here's a set of tools that are hardened and trusted and true and rather than you using something You cobbled together yourself which would which is pointless for a technology that's existed for a long time We have versions of some of these software that we can share that will in fact raise general security levels far more Then almost anything else we could do so RCA share actually began with be safe Right versions of be safe. We're giving away for free There's information about it on our website and there's other technology toolkits We put in there and that we're going to follow it with but the principle is let's get it as many people using world The class security products as possible Excellent RCA share So I just had one question one final question for you Sam and we've been asking this of a lot of the executives who've come on We've got some folks in the audience some young people They might be in college some kids who may be a graduated a lot of technology people, you know out there I wonder if I scared anybody away from security with the Maytag common Maybe there's some people like you that really like to take on some tough challenges, you know So what we have asking you to do is maybe just give some advice to some of the younger people out there That might be interested in getting into the technology business technology in general or any particular parts Well, I mean well, I mean you're a CTO of a large company, you know, it's a you know a very successful individual You've got great perspectives You know somebody interested in getting into the to the technology field or how about even specifically the security business Be bold be an adventurer adventurism is a good thing You know some of the greatest some of the greatest Breakthroughs we've had as a culture came from a far small population base many of our many of us have if you think about pioneering and Going out and pushing boundaries. It usually happens with somebody with a pretty stupid idea and Your ideas are probably not that stupid Don't assume somebody else has done it if something you really and truly you find fascinating Absorbs you then pursue it and tell your friends about it And if they think you're stupid tell me about it. I mean you can always send me email, right? That's pretty pretty straightforward but keep pushing and and and Gravitate to the things that you find interesting and fascinating My background is nothing to do with by the way with computer science. It was originally physics and and and literature but we rarely by the way map out what we're going to do in life and then Follow that path that we rather boring in fact So follow the thing you find truly passionate now and by the way later on you will look back and find a logical sequence So we all do that sit down and go well. Here's my background. How all logical did it logically did it slow? Tiger Woods did that follow the sequence thing look what happened to him right good good point but And then by all means, you know, I do look at him as an example of but Boring But what you should do is Follow your passion Don't say no don't accept Pat answers I Can think of many brilliant teachers that I've had the best ones that were the ones who actually stopped and listened to something That sounded like it should have an obvious answer and didn't so Just push the envelope and don't settle don't settle for someone saying well, that's how we do it The best advice I ever got by the way There was a woman named Janet Chandler many years ago. She sat next to me and said I said so how'd you get where you are? and she said I never said no to anything and I can honestly say I don't think I've ever said no to anything in my career And that may sound awful because you'll hear a lot of people say push back. That's not your job Somebody else's job leave it to them. Just never say no Nothing should pass your desk without getting your imprint Nothing is too small and nothing is the sort of thing that you should just ignore, right? If something goes by own it Sam it's great. You know Mike and I have been up to bed for a few times. I really enjoy your perspectives I think you're brilliant. You're it's unbelievable to me the way you're able to in your literature background Just sort of explain some of it able to to to share some of these very interesting I've wrote a few down watch the ounces and the pounds will follow You there's a flip one to that one by the way. It's a big rocks one right? You should focus on big Come to me more like your opponent and they like you not all altered altruism is altruistic There's some self-motivation and then my favorite today was your ideas are probably not that stupid We'll finish up here day two from EMC world live at the cube. Thanks everybody for listening